Abandoned DeFi Domains Now Used to Drain Wallets

A new security threat is gaining traction in the decentralized finance (DeFi) ecosystem: cybercriminals are repurposing expired or abandoned DeFi project domains to deploy wallet-draining scams. By leveraging the familiarity and perceived legitimacy of long-defunct platforms, attackers are luring users into signing malicious transactions that result in immediate asset loss.

The threat was first flagged by 0xngmi, founder of the analytics platform DeFiLlama, who confirmed that compromised URLs are being actively removed from both the DeFiLlama dashboard and browser extension. Despite these measures, users are advised to exercise heightened caution, particularly when revisiting bookmarked DeFi sites that have not been used for some time.

Unlike traditional phishing campaigns or social engineering tactics, these attacks are more passive and insidious. They exploit trust in previously established interfaces, relying on users to return voluntarily—often in attempts to recover funds or interact with smart contracts. With no active teams maintaining these abandoned projects, attackers face little resistance when taking over domains and modifying front-end behavior to prompt dangerous token approvals or transfers.

One example cited by a MakerDAO community member from its Sakura sub-DAO revealed that a previously active domain is currently listed for just $0.01—underscoring how cheaply malicious actors can acquire and weaponize these digital assets.

Understanding Front-End Attacks

While DeFi protocols operate on decentralized blockchain infrastructure, the average user accesses them through centralized web front-ends that construct wallet transactions. These interfaces are vulnerable to a range of attacks, including DNS hijacking, domain spoofing, and malicious clones spread through social media and search engines.

Not all front-end compromises are due to outright scams. In some cases, exploits stem from software bugs. Earlier this year, Morpho, a lending protocol, experienced a $2.6 million front-end vulnerability that was fortunately mitigated by a white-hat MEV bot before funds could be lost.

A Growing Threat Landscape

Front-end exploits are only one piece of DeFi’s evolving threat matrix. Projects continue to face risks from smart contract bugs, compromised multisig wallets, and even insider threats.

In just the past week:

• ZKsync reported a $5 million loss due to a compromised multisig wallet.
  
• KiloEx, a decentralized perpetuals exchange, was exploited for $7.5 million through a price oracle manipulation.
  
• A separate incident involved nearly $780,000 drained via a backdoor, leading to speculation of insider involvement by a rogue developer.
  

These incidents highlight the critical need for proactive security—beyond contract audits and multisig protections.

Conclusion

As DeFi continues to grow in complexity and scale, so too does its threat landscape. The rise of wallet drainer scams leveraging abandoned project domains is a stark reminder that decentralization, while powerful, also demands a heightened level of individual responsibility.

Bookmarking a trusted site is no longer sufficient. Users must remain vigilant—verifying URLs through official channels, using tools that detect compromised domains, and carefully reviewing every transaction prompt, especially when engaging with obscure or inactive platforms.

In a trust-minimized ecosystem, security begins at the user level. Staying cautious isn’t just good practice—it’s a necessity.